1. Field of the Disclosure
The present disclosure relates generally to computer virus detection and in particular, to a system and method for computer virus detection utilizing Heuristic analysis.
2. Description of the Related Art
Antivirus (AV) systems may use various methods for detecting malicious code. Malicious code as referred to herein may include a computer virus capable of replicating itself and spreading. More specifically, malicious code may be understood to include, for example, a piece of software that may be designed and written to make additional copies of itself and spread from location to location within a system and/or from system to system. Computer viruses may spread without user knowledge or permission.
Computer virus technology has gone through various evolutionary stages since the very first viruses. Early viruses infected files, but were not camouflaged in any substantial way. Accordingly, they could be easily recognized by even novice users utilizing file viewing software. This also meant that such viruses were relatively easily detected by AV systems.
To counter this, viruses were developed to use encryption as a method of disguising the viral code. However, these viruses still left undisguised decryption code visible to anti-virus software, and were thus fairly easily to recognize by AV systems. Virus developers thus sought to address this vulnerability in their computer viruses. To a certain degree, this was accomplished by a technique called polymorphism. This technique involves pseudo-randomly recreating (usually) different decryption code between each individual infection. With a polymorphic encrypted type of virus, although each individual infection may utilize a different decryption code, the actual unencrypted malicious code itself does not necessarily change.
As difficult as viruses protected by polymorphic encryption can be to detect, doing so is now a fairly common place event. Detection of polymorphic encrypted viruses can be readily accomplished via the emulation of the decryption code to gain access to the then-unencrypted virus body.
Currently, state-of-the-art virus technology is going through yet another evolutionary phase which utilizes a form of disguise called “metamorphism.” A metamorphic disguise differs from previous forms of disguise in that such viruses no longer necessarily use encryption at all to disguise their code. Instead, such viruses reorganize, modify, or even recreate the code that forms the virus body itself.
One method of detecting such metamorphic viruses may involve the use of computationally intense, highly specialized algorithms targeted at specific viruses.
Various AV systems use heuristic detection methods to scan computer code to detect for malicious code. The methods may include some form of heuristics logic to determine whether particular computer codes is malicious. Heuristics logic applies rules to distinguish malicious code from non-malicious code. AV systems using heuristics logic may use self-educating techniques to improve performance.
AV systems may use a combination of emulation and heuristics to detect malicious code. Systems may include a machine emulator that emulates code in the scanning target, while collecting a set of data (e.g., Boolean flags) relating specifically to possible viral code. These systems can be referred to as utilizing static heuristics in that they do not pay attention to the order in which events occur in the emulation.
A deficiency with the static heuristics type system is that possibly very valuable information is regularly being discarded (e.g., the chronological order in which the heuristic data is being collected). If utilized properly, this discarded information can be fundamental to a virus scanner's ability to distinguish between false-positive results (e.g., code that seems viral enough to trigger a detection, but is not actually viral) and true-positive results (e.g., code that seems viral, and actually is).